The ability to request ?wsdl from a URL where it isn't specified by default, form the XML request without redundant headers (e.g. the same header mentioned several times), interpreting WS-Security error messages and relaying them to the user saying e.g. "You need to specify a valid username and password", and when the basic request has been formed, the ability to fuzz each field, look at the response for both returned values and error messages and report that to the user :-)

In essence, creating a working XML request can sometimes be tricky with some clients where their ?wsdl specifies another endpoint than what you have been given, so the tool should also be able to use a hardcoded ?wsdl URL that does not change even if the ?wsdl says otherwise. The tool should accept sample requests provided by the user, which the user knows is working, bypassing the initial phase/process in the program of creating a working XML request that responds as it should.

Just some ideas and the most annoying issues I have come across when testing.

Oh yeah, the tool should be able to proxy as well, so it can go through Burp, etc.

I am mostly experiencing issues with a WSDL defining too much (useless) information and incorrect endpoints when I am testing a WSDL that has just been moved from one location to another (from production to development) where the WSDL hasn't been updated.

MaXe wrote:I am mostly experiencing issues with a WSDL defining too much (useless) information and incorrect endpoints when I am testing a WSDL that has just been moved from one location to another (from production to development) where the WSDL hasn't been updated.

++1 to the 'useless' data piece (and the rest, but definitely that)

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Excellent MaXe, thanks a lot. I agree with all the required features. Thanks again!!

So I am "All In" now. I have started working on this project last weekend and at this point, I can send, receive and parse SOAP web services. Basic fuzzing will be the next step so in about a week from now, this part should be working.

I suspect that the Alpha version will be ready in March 2013. I will keep you guys posted! I will need knowledgeable testers...